An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Monthly Archives: January 2011

On January 25, 2011, the 112th Congress introduced its first data security-related bill—the Cybersecurity and American Cyber Competitiveness Act (S. 21). The bill is co-sponsored by Senate Majority Leader Harry Reid and several Senate Committee leaders, including Senators Leahy, Levin, Bingaman, Kerry, Rockefeller, Lieberman, and Feinstein. The bill seeks to safeguard critical technology infrastructure from cyber attacks and protect individual privacy by improving identity theft prevention measures, guarding against personal information abuse, and seeking to promote international cooperation to combat cyber threats. More information regarding S. 21 is available in a statement released by the bill’s co-sponsors.

In early January 2011, Canadian consumers brought a class action against Google regarding a privacy breach caused by Google’s Buzz social networking and messaging tool. The lawsuit, filed in the Manitoba Court of Queen’s Bench alleged that Google breached consumers’ privacy because the Buzz tool’s default settings allowed users to view private profile information about other users without consent. Under Canadian privacy law, consumers may collect up to $5,000 per consumer in damages for each privacy breach.

A number of privacy advocates and consumers have expressed concerns over Google’s Buzz tool since its launch in early 2010. In February 2010, the Electronic Privacy Information Center filed a complaint with the Federal Trade Commission (“FTC”), urging an FTC investigation and alleging that Google’s Buzz “violated user expectations, diminished user privacy, contradicted Google’s privacy policy, and may have violated federal wiretap laws.” Further, in November 2010, Google settled a U.S. class action relating to privacy protections for $8.5 million. Finally, a number of countries’ privacy commissioners and data protection authorities, including Canada, France, Germany, Israel, Italy, Ireland, Netherlands, New Zealand, Spain, and the United Kingdom, sent a letter to Google in April 2010, expressing concern over the Buzz tool and directing Google and other international corporations to respect individuals’ privacy rights.

On January 25, 2011, the United States House of Representatives Committee on the Judiciary’s Subcommittee on Crime, Terrorism, and Homeland Security (“Crime Subcommittee”) held a hearing regarding Internet service providers’ (“ISP”) and web hosting companies’, such as social-networking sites, data retention policies. According to a representative from the Department of Justice, who testified at the hearing, ISPs’ disparate data retention policies hamper criminal investigations and other law enforcement and prosecutor initiatives. The Department of Justice has recommended that Congress create mandatory data retention requirements to help facilitate law enforcement and prosecutor activities. No specific legislation was proposed during the Crime Subcommittee hearing; rather, legislators, and agency and industry representatives explored the need for data retention requirements.

Privacy advocates have questioned the implication of mandatory data retention requirements that would require entities to maintain sensitive consumer data, such as personally identifiable Internet address information, email, instant messaging correspondence, and what Web pages users visit. For example, past data retention legislation would have required certain Internet companies to maintain Internet protocol addresses for two years. These data retention proposals conflict with recent agency privacy-protection suggestions advocating the storage of less consumer data, such as the Federal Trade Commission’s proposed privacy framework, which suggests that businesses should “retain[] consumer data for only as long as they have a specific and legitimate business need to do so.”

More information regarding the Crime Subcommittee’s hearing is available here.

Today, the Supreme Court issued its decision in NASA v. Nelson, a case relating to employee privacy. The Court unaminously ruled (excluding Justice Kagan, who recused) that the federal government has broad latitude to ask questions about the background of independent contractors who work at government facilities.

The Ninth Circuit had previously ruled that the background checks at issue were too invasive of individual privacy because they asked about drug treatment and counseling within the previous year, and asked open-ended questions about the individual’s employment suitability. The backgound check policy at issue was developed after the 2001 terrorist attacks.

Writing for the Court, Justice Alito stated that "the challenged portions of [the forms] consist of reasonable, employment-related inquiries that further the Government’s interest in managing its internal operations." The Court rejected arguments that the Government’s inquiries violated a constitutional right to informational privacy.

Mark your calendars for Data Privacy Day – January 28, 2011.Countries around the world are hosting events in honor of Data Privacy Day (or Data Protection Day).This year is the thirtieth anniversary of the date on which the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was opened for signature by the Council of Europe on January 28, 1981. Some highlights include:

On January 7, 2010, the U.S. Supreme Court granted the petition for writ of certiorari filed by the State of Vermont seeking to overturn the decision from the Second Circuit which held that Vermont’s prescription confidentiality law was unconstitutional.

The section of the Vermont law at issue in the appeal, codified at 18 V.S.A. § 4631, prohibits the sale, license, or exchange for value of prescriber-identifiable data for marketing or promoting a prescription drug unless the prescriber consents.The Vermont legislature passed the law in 2007, intending to protect public health, to protect prescriber privacy, and to reduce health care costs.

The law was challenged by companies, commonly referred to as “data miners,” which purchase information regarding prescriptions from pharmacies, including the prescriber’s name and address, the name, dosage, and quantity of the drug, the date and place the prescription is filled, and the patient’s age and gender.The data miners aggregate this information and sell it to pharmaceutical research and manufacturing companies to assist in their marketing efforts to prescribing physicians.The law was also challenged by the Pharmaceutical Research and Manufacturers of America.

The Second Circuit overturned the district court’s decision, 631 F. Supp. 2d 434 (D. Vt. 2009), upholding the Vermont law as a constitutional restriction of commercial speech.The Second Circuit determined that the Vermont law did not pass intermediate scrutiny under Central Hudson Gas & Elec. Corp. v. Pub. Serv. Comm’n, 447 U.S. 557 (1980) because the Vermont law did not “advance the state’s interests in public health and reducing costs in a direct and material way” and there were less speech-restrictive means which Vermont could have used.

The Second Circuit’s decision created a split with the First Circuit, which had previously upheld similar laws from New Hampshire (IMS Health Inc. v. Ayotte, 550 F.3d 42 (2008)) and Maine (IMS Health Inc. v. Mills, 616 F.3d 7 (2010)).

According to a statement from Vermont Attorney General, the case, Sorrell v. IMS Health Inc., No. 10-779, will likely be argued in April of this year and decided before the end of the Court’s term in June.